If you were talking to someone whose organization is considering SonarQube, what would you say?
How would you rate it and why? Any other tips or advice?
SonarQube is a very good tool. It is lightweight and very cost effective as compared to IBM AppScan. The dashboard is really neat and easy to operate. It gives a lot of information that makes it very easy for the developers. You can get it set up as an automated process every time the code is checked in. I would say, however, that it is not a vulnerability assessment tool. The dev and security team use this solution very closely. Fifteen to twenty people in total use it. I would rate this solution an eight out of ten.
I would rate this product somewhere between six and seven. It works for many clients, but if the user need and application is super critical, people should go with commercial products like Micro Focus. If the deployment is less critical, they can go with that as SonarQube, or another open source software solution.
My advice is to focus on quality, not on tools. Work on the quality of your code and get a quality culture, but don't require the use of a tool. SonarQube is an okay tool. I'd suggest it as a default tool, but I wouldn't rave about it. In all of my previous jobs, there has been somebody using SonarQube. They're usually very positive. I don't share that positiveness, but the reasons for that are that I don't believe you can have metrics of code quality based upon code analysis. I don't think it's possible for a computer to do it. I don't rate any tool higher than a five or six, ever. JUnit is the only tool that gets a rating of ten. On a scale of one to ten, where ten is JUnit, I would rate SonarQube as about a five or a six.
This is a very nice product and I would recommend it. It is one of the best tools on the market to analyze your code. If more rules for security were added then we would not have to use Checkmarx or other tools. SonarQube is very nice, but just missing some security rules. I would rate this solution a seven out of ten.
My advice for anybody interested in implementing this solution is to start with the community version and try it out. It doesn't take long to see value in it, and it's very straightforward, easy, and intuitive to use. There are add-ons that are available for purchase that we have not tried, although we're quite content with what we have right now. I would rate this solution an eight out of ten.
We advise all of our developers to have this solution in place. That way, whenever they are developing, the will get live tracking with respect to the quality of their code. I would rate this solution a seven out of ten.
This product is good but it is not meant to be a single solution for all issues. If you want to have your code scanned and timed then this is a good tool. If you want security to be part of it then you may need multiple tools. Overall, my advice is to use this tool in areas where it is strong. I would rate this solution a six out of ten.
I would rate SonarQube as a nine out of ten. Once you start drilling down through the menus, it tells you a lot of stuff about your code in one view. That's really quite neat. That shows you a view of maintainability. They have a maintainability view that shows bubbles for all the different code modules, and yours is beside the bubble. This represents the amount of "code smells," which is actually kind of a common definition. The bigger the bubble, the more your code smells. This shows where more attention is needed or it's a bubble that's kind of drifting out of control. I have one graph here where there are probably 50 bubbles. There's one axis that shows technical death, meaning the amount of work that it's going to take to get the smells under control. The other axis is lines of code, which is obviously a very common thing to look at. On this particular graph, there are a whole bunch of bubbles down in the lower-left corner, which means you have a lot of small manageable things. If you hover over the bubble, it tells you what module it is. How many lines of code. Technical death and manpower estimate, things like that.
I would suggest trying the product. I like its useability because it has a simple approach. We use this solution in conjunction with Jenkins, and we have a two-week deployment cycle. I would rate this solution a seven out of ten.
From experience, you should just size the scale of what you're trying to do to the maturity of the organization.
On a scale from one to ten with ten being the best, I would rate this product around an 8. If SonarQube makes some improvements with the security features, I would also probably use the product much more.
We are looking at using another product to compliment it for security reasons. Most important criteria when selecting a vendor: * Usability of the product * Responsiveness when we have issues.